On conditions for p- value is 1 or not of complete family of 
pairing-friendly elliptic curves 

Keiji OKANol 
Abstract 

We study whether a complete family of pairing friendly elliptic curves has 
a /?- value 1 or not. We show that, in some cases, /?- values are not to be 1. 

o 

(N 

■ 1 Introduction 

(yQ ■ The security of public-key cryptosystems is based on mathematical problems which 

seem not to have any efficiently computable solutions. For example, RSA cryptosys- 
tems are based on the fact that we do not have any effective way of prime factor 
decomposition for large numbers. Also, there are other cryptosystems which rely 
on the problem called the discrete logarithm problem (DLP). If elements a, 6 of a 
finite cyclic group with large order are given, then the DLP is to give the solution 
X of = 6 if it exists. Computing the solution of this problem is apparently dif- 
^ ficult. Standard elliptic curve cryptosystems and cryptographic schemes which are 

^ ' based on pairings of elliptic curves depend their security on the DLP. The standard 

\0 '. elliptic curve cryptosystems are proposed by Koblitz [9J and is also called elliptic 

ElGamal cryptosystems. In the sense of security, the cryptosystems using elliptic 
O . curves are much safer and have many tools for encryption than using DLP on finite 

^ fields. Moreover, they can be applied with small bit sizes. Therefore, they are well 

studied. 

^ I In recent years, pairing-based cryptographic schemes have suggested. They fit 

many new and novel protocols including ID-based encryption and one-round three- 
way key change. The cryptographic schemes based on pairings of elliptic curves 
which we reference in ^ in this paper were suggested by Boneh- Franklin [3] and 
Sakai-Ohgishi-Kasahara [12j. One of the features of them is that they require so- 
called pairing-friendly elliptic curves which have special properties, whereas elliptic 
ElGamal cryptosystems can be implemented by using almost randomly generated 
elliptic curves. Many strategies of constructing pairing-friendly elliptic curves have 
been proposed. We define a parameter p that represents how the given curves are 
close to the ideal in pairing-based cryptographic schemes. This parameter expresses 
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the ratio of log q and log r where q is the order of the definition field of a given curve 
E and r is the prime order subgroup of the curve: p{E) = logg/logr. If p{E) = 1, 
then the curve is ideal. However, it is known that such case and the cases where p 
is close to 1 are very rare. 

In this paper, after introducing the method constructing a family of pairing- 
friendly elliptic curves given by Brezing and Weng, we study a parameter p{t{x),r{x), q{x)) 
defined for such a family (Definition 12. 5p which is different from the p-value above. 
The case where the p-value equals 1 is also ideal while most of the cases are not. 
Only one example of p{t{x),r{x), q{x)) = 1 which is constructed by Barreto-Naehrig 
[2] is known (Remark 12. 7p . We propose a mathematical problem "to give conditions 
that the p-value equals or is close to 1". We denote the Euler function and the 
kth cyclotomic polynomial by (p{x) and $fe(x), respectively. Then our main theo- 
rems give many sufficient conditions of that p- values are not 1 if we take r[x) as a 
cyclotomic poljTiomial: 

Theorem 1.1. Let k be a positive integer and D a square- free positive integer. 
Define 

r{x) := ^k{x). 

Suppose that {t{x),r{x),q{x)) parameterizes a complete family of elliptic curves with 
CM-discriminant D and embedding degree k with respect to r{x) {these terms are 
defined in §2). If one of the following holds, then p{t{x),r{x),q{x)) ^ 1. 

(i) The degree k G {1, 2,p, 2p} for some prime number p. {Ifp is odd, thenp satisfies 
that p = 3 mod 4.) 

(ii) Conditions k G {pQ, 2pQ}, D = p, t{x) = x + 1 and 

{p-2)Q + l< ^{k). 

Here, p > 7 be an odd prime number such that p = 3 mod 4, and Q > 2 is an 
integer. 

For example, the inequality in (ii) holds ii k = pq and p < q. 

Theorem 1.2. Let k, d be positive integers and D a square-free positive integer. 
Define 

r{x) := ^dk{x), t{x) := x'^^ + I, dg < ip{dk), 

where gcd{g,k) = 1. Suppose that (t{x),r{x),q{x)) parameterizes a complete family 
of elliptic curves with embedding degree k and CM-discriminant D with respect to 
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r{x). Then the following hold. 

(i) Whether the p-value is 1 or not can be reduced to the case where gcd{d, k) = 1 
and d is square-free by removing gcd((i, k) and the square-factor from d. 

(ii) // one of the following holds, then p{t{x), r{x), q{x)) ^ 1. 
(ii-a) The degree = 3, 6. 

(ii-b) The degree k has a square factor. 

2 Family of Pairing- Friendly Elliptic Curves 

In this section, we briefly explain cryptosystems of pairing-based elliptic curves. Af- 
ter that, we describe the strategy of constructing families of pairing-friendly elliptic 
curves as proposed by Brezing and Weng [6]. We use the notation N, Z, Q as the 
set of positive integers, rational integers and rational numbers, respectively. We de- 
scribe Fq as a finite field with order q. Pairing-based cryptographic systems require 
a non-degenerate alternative pairing which can be efficiently computed. For exam- 
ple, the most common pairings used in applications are Weil and Tate pairings. We 
define the embedding degree with respect to a cyclic group of order r as the degree 
of the extension field which the pairing maps to. In other words. 

Definition 2.1. Let be q a power of a prime number, E an elliptic curve over 
¥q, and r a prime number such that r \ ^E{¥q), r \ q. Here E{¥q) stands for the 
points of E over¥q. The embedding degree of E with respect to r is the smallest 
positive integer k such that r \ ^¥^f. . 

Suitable curves for pairing-based cryptographic systems require a subgroup with 
large prime order r and an efficiently computable pairing with small embedding 
degree k. Therefore, for many embedding degrees and prime numbers, we should 
construct elliptic curves having such properties. We remark that the embedding 
degree of supersingular elliptic curves is at most 6. Hence, in practice, ordinary 
elliptic curves are used. The order of an elliptic curve E over is given by 

#E(F,) = q + l-t, 

where t G Z is the trace of Frobenius map. 

Lemma 2.2 ([8^ Proposition 2.4]). Assume that r \ kq. Then the condition of 
Definition \2.1\ is equivalent to — 1) = mod r. Here, is the kth cyclotomic 

polynomial. 



3 



We describe the CM-method as proposed by Atkin and Moran, which is the 
strategy of constructing elhptic curves with given parameters. 



Theorem 2.3 (Atkin- Moran [T]). Let k he a positive integer. Suppose that there 
are some t, r, q satisfying the following properties: 

(i) q is a power of a prime number. 

(ii) r is a prime such that r \k. 

(iii) r I g + 1 — t, in other words, there is h & N such that rh = q + 1 — t. 

(iv) r I g'^ — 1, and rfg* — 1 (l<z<A;). 

(iv) There exist some ?/ G Z and some square-free positive integer D such that an 
equation Dy"^ = Aq — t^ , i.e., Dy"^ = Arh — [t — 2)^ holds. 

{D is called a CM- discriminant) Then there exists an elliptic curve E over ¥g which 
satisfies the followings: 

(a) 4I^E{¥q) = q + 1 — t and there is a subgroup of E{Wq) with prime order r. 

(b) The embedding degree with respect to r is k. 

In practice, the method can construct curves over finite fields when D < 10^^ [13] . 
Suppose that an elhptic curve E/¥g has an embedding degree k with respect to a 
prime number r. For applying it to the pairing-based cryptography with sufficiently 
security level, Freeman-Scott-Teske [8] defined "pairing-friendly" curves. Namely, 
is a pairing-friendly if the following two conditions hold: r > ^/q, k < (log2r)/8. 

One of known algorithms of constructing pairing-friendly elliptic curves is the 
Cocks-Pinch method. The Brezing-Weng method which we refer later (Theorem 
12. 6p basically uses the Cocks and Pinch idea over polynomials. Moreover, define 

1 p{t,r,q) := ——. 

logr 

The value effects the superiority of our cryptography. The case where p{t, r, q) equals 
(or is close to) 1 is ideal. One of the aims in the study of pairing-based cryptography 
is to seek for curves with such values. We refer that the curves produced by Cocks- 
Pinch method tend to have p- values around 2. 

Brezing-Weng method 

For applications, we would like to be able to construct curves of speciffed bit size. 
To end this, we describe families of pairing-friendly curves for which the parameters 
t, r, q are given as polynomials t{x),r{x),q{x) in terms of a parameter x. We give 
the idea of Brezing and Weng in |6j . According to [8] , we define the following which 
is based on the conjecture of Bouniakowski and Schnzel [10, p. 323]. 
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Definition 2.4. (i) Let f{x) be a polynomial in Q[x]. If there is some a G Z 
such that f{a) G Z, then we say f{x) represents integers. 

(ii) Assume that a non-constant irreducible polynomial f{x) G Q[a;] represents inte- 
gers. If f{x) has a positive leading coefficient and 

gcd({/(x)| X such that f{x) G Z}) = 1, 

then we say f{x) represents primes. 

Bouniakowski, Schnzel and some mathematicians conjectured tliat if f{x) repre- 
sents primes, tlien f{x) lias infinitely many prime values. 

Definition 2.5. Let A; G N and D a positive square-free integer. Suppose that 
triple of non-zero polynomials {t{x),r{x),q{x)) G Q[x]^ satisfies the following con- 
ditions: 

(i) r{x) represents primes. 

(ii) q{x) is a power of a polynomial representing primes. 

(iii) r{x) I q{x) + 1 — t{x), i.e., there exists h{x) G Q[x] such that h{x)r{x) = 
q{x) + 1 — t{x). 

(iv) r(x) I $fc(t(x) - 1). 

(v) There is some y{x) G Q[x] such that Dy{x)'^ = 4g(a;) — t{xY = 4:h{x)r{x) — 
{t{x)-2)\ 

Then we say that (t{x),r{x), q{x)) parameterizes a complete family of pairing-friendly 
elliptic curves with embedding degree k and CM- discriminant D. Moreover, we de- 
fine p{t{x),r{x), q{x)) := Jim = gfg. 

The definition of p{t{x),r{x),q{x)) is different from ([T]). In addition, we note 
that it may happen that {t{x),r{x),q{x)) satisfying Definition 12.51 does not lead to 
any explicit examples of elliptic curves: for example, r(x), q{x) may never have 
integer values simultaneously. But, in known examples used in applications, it does 
not happen. We note that t{x), y{x) are determined up to modulus r(x). We have 

/o^ ^ ^ w 2max{deg?/,degt} 

degr 

Next, we describe the Brezing-Weng method. Denote the set of the kth primitive 
roots of unity by fi^ C Q. Here Q is an algebraic closure of Q. 

Theorem 2.6 (Brezing-Weng [6J). Let G N and D a positive square-free inte- 
ger. Then execute the following steps. 
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1. Choose an algebraic number field K which contains Q{fik) o-nd Q{y/~D). 

2. Find an irreducible polynomial r{x) G with positive leading coefficient and 
an isomorphism such that Q[x]/{r{x)) — ?■ K. 

3. Let t{x) — 1 G Q[a;] be a polynomial mapping to a fixed element (k G yUfc by the 
above isomorphism. 

4- Let y{x) G Q[x] be a polynomial mapping to G K by the above isomorphism. 
5. Let q{x) G Q[a;] be given by q{x) := {Dy{xY + t(a;)^)/4. 

Ifq{x) represents primes and y{x) represents integers, then the triple {t{x),r{x), q{x)) 
parameterizes a complete family of elliptic curves with embedding degree k and CM- 
discriminant D. 

Remark 2.7. The choice of r(x) is an important part in this algorithm. In [0], 
Brezing and Weng calculated the cases where D = 1 or 3 and K^s are cyclotomic 
fields. On the other hand, [8] collected many examples. Barreto and Naehrig [2] 
gave an example of p{t{x),r{x),q{x)) = 1 with k = 12, D = 3: 

t{x) = 6x^ + 1, r{x) = 36x^ + 36x^ + 18x2 + 6x + l, q{x) = 36x^ + 36x^ + 24a;2 + 6x + l. 

This is the only one known example of {t{x),r{x), q{x)) which parameterizes a com- 
plete family of curves with p- value 1. 

Remark 2.8. We can also consider another problem which is to find a family of 
elliptic curves, so-called sparse family. In detail, to find a family which has infinite 
many integral solutions (x, y) of 

(3) Dy"^ = 4:h{x)r{x) - {t{x) - 2f, 

instead of finding the equation Dy{xY = 4:h{x)r{x) — {t{x) — 2)^. Many results 
about this problem are also known. We refer the following examples for reference. 

Proposition 2.9 (Miyaji-Nakabayashi-Takano |Tl], Freeman [7]). The following 
pairs of polynomials satisfy (i), . . . , (iv) in Definition \2.5\ and ([3]). Moreover, their 
p-values p{t{x),r{x),q{x)) = ^^|igl are 1. 

(i) k = 3: t{x) = -1 ± 6x, r{x) = 12x^ ± 6x + 1, q{x) = 12x^ - 1. 

(ii) k = 4: t{x) = —x (resp. r{x) = x^+2x+2 (resp. + q{x) = x'^+x+1. 

(iii) k = 6: t{x) = 1 ± 2x, r{x) = ± 2x + 1, q{x) = + 1. 

(iv) k = 10: t{x) = lOx^ + 5x + 3, r{x) = 2hx'^ + 25x^ + ISx^ + 5x + 1, q{x) = 
25x^ + 25x3 + 25x2 + lOx + 3. 
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3 Preparation 



Let k he & positive integer and D a square-free positive integer. In the rest of this 
paper, we suppose that (t(x), r(x), parameterizes a complete family of elliptic 
curves with embedding degree k and CM-discriminant D. Especially, r(x), q{x) are 
non-constant irreducible. Then the conditions in Definition 12.51 (iii) (iv) (v) become 



Then degg = degr. Moreover, we obtain degt < degr and degy < degr by ([2]). If 
degh + degr < degt, then degg = degt by ([5]). This implies that degh + degr < 
degt = degr, which is a contradiction. On the other hand, if degh + degr = 
degt{y^ 0), then the leading coefficient of the right-hand side of is negative. This 
contradicts that the leading coefficient of the left-hand side is positive. Therefore we 
have degh + degr > degt, so that degh = by ([5]). Hence, we put h := h{x) G Q 
if p = 1. 

Lemma 3.1 (see Proposition 2.9 in [8]). If k = 1, then p > 2. 

Proof. By @, we see t{x) ^ and so that 1 < degr < degt. Hence by ([5]), we 
obtain p > 2. □ 

Lemma 3.2. Assume that k > 2. Let K he an algebraic number field which 
is isomorphic to Q[a;]/(r(a;)). // (H]), (E]), ([6]) hold, then K contains the imaginary 
quadratic field Q{\/—D) . Hence there exists a polynomial e{x) G Q[x] such that 
—D = e(x)^ mod r(x). 

Proof. If y{x) = mod r(x), then t{x) — 1 = 1 mod r{x) by ([6]). This implies that 
k = 1, since t{x) — 1 corresponds to a primitive kth root of unity in Q[x]/{r{x)) by 
(jl]). Therefore y{x) ^ mod r{x). Then, y{x) has an inverse z{x) in Q[x]/{r{x)) 
and 



by dnj. This implies that Q{y/—D) C K. The second claim is obtained by e{x) : = 



(4) 
(5) 
(6) 



r(x) I - 1) 

q{x) + 1 — t{x) = h{x)r{x) for some non-zero h{x) G Q[x] 
Dy{xY = 4:h(x)r(x) — {t{x) — 2)^ for some y{x) G Q[x]. 



We suppose that 



p := p{t{x),r{x),q{x)) = 1. 



D = {t{x) - 2Yz{xf mod r{x) 



{t{x) - 2)z{x). 



□ 
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It is well known (for example, see Boneh-Rubin-Silverberg [U Corollary 7.3]) 
that 



(7) G 



4\l,D\{ or 



4:\ l,D \ l,D = 3 mod 4. 



Lemma 3.3. Let f{x) G Q[x] be a polynomial with degree m. If the terms in 
f{xY with degree not less than m are in Q[x"], then f{x) G Q[x'^]. 

Proof. The case when a = 1 is trivial. Hence we assume that a > 2, m > 2. Put 
fix) = fmx"" + ■ ■ ■ + /ix + /o (/. G Q). First, we show 

(8) fm-l = ■ ■ ■ = fm-(a-l) = 0. 

From the term in /(a;)^, we obtain 2fmfm-i = 0. Therefore fm-i = since 

fm ^ ^- If a = 2, we obtain (|8]). On the other hand, assume that a > 2. If we show 
fm-i = ■ ■ ■ = fm-i = for some 1 < z < a — 2, then we obtain /^-(j+i) = 0. Indeed, 
we have 

i+l 

^ ^ fm—jfm—{i+l)+j fmfm—{i+l) ~l~ fm—lfm—i ~l~ ' ' ' ~l~ fm—{i+l)fm 0, 
j=0 

which follows from the term x^™"*"^ in /(a;)^. This induces fm-{i+i) = 0. Therefore, 
by induction with respect to i, we have for a > 2. Assume m = a, then the proof 
is completed. 

Next, suppose that m > a and, for some m' satisfying < m' < ^ — 1, the 
equations fm-m"a-i = ■■ ■ = fm-m"a-{a-i) = hold if < m" < m'. By the 
coefficients of a;2m-(m'+i)a-r (^i < i < a — 1), we have 

m'a+a+i 

^ ^ fm—jfm—(m'a+a+i)+j 0. 
j=0 

Note that a\ i. Then, by induction with respect to i, we have fm-{m'+i)a-i = ■ ■ ■ = 
fm-{m'+i)a-{a-i)- Consequently, we complete the proof by induction with respect to 
m'. □ 

Lemma 3.4. Fora,s,k G N, $a=fe(x) = ^ak{x'^"~^). 

Proof. Denote a primitive a** A;th root of unity by Then is a root of <l'afc(x'^^ ^). So 
that the minimal polynomial $a»fc(a;) of ( divides ^ak{x'^" Since both polynomials 
are monic and ip{a'^k) = a'^k Y\ (-'- ^ g) ~ a'^^^fiak), we obtain the claim. □ 

q\ak, q:prime 
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4 Proof of Theorem 



1.1 



Suppose that r(x) = ^k{x). Then we can see that p 7^ 1 if A; = 1, 2 by degr = ip{k) 
and ([2]). Hence we may assume that ip{k) 7^ 1, i.e., A; > 3. Put m := ip{k)/2, then 
degr = 2m. 

Proposition 4.1. Ifm = 1, i.e., k = 3,4,6, then p ^ I. 

Proof. Assume that p = 1. Then we have degt = 1 follows from and degt > 1. 
Put X := t{x) — 1. Then, since x and X correspond to primitive kth root of unity, 
we have 

X or — X — 1 (if = 3) 
X =< X or X - 1 (if = 6) mod r(x). 

X or — X (if = 4) 

In fact, the congruences are equal since degt = 1. Therefore $fc(a;) = $fc(X). Since 
X generates a power basis of Q(/ifc) over Q, we write y{x) as a polynomial y{X) of 
X by abuse of notation. Then we can replace ([6]) as 

Dy{Xf = MkiX) - (X - 1)2. 

Now, we treat the case where k = 3 (resp. k = 6). Since $3(x) = x^ + x + 1 
(resp. $6(x) =x2-x + l), wehaveD(l/iX + yo)^ = 4/i(X2±X + l)-(X2-2X + l), 
and hence 

'Dyf = Ah-l, 
2Dym = ±4h + 2, 
Dyl = 4h-1. 

These equations induce 12h{h — 1) = (resp. Ah{3h — 1) = 0). So that we have 
h = l (resp. h = 1/3). Thus we obtain g(x) = (X^ + X + 1) + X = (X + 1)^ (resp. 
g(x) = |(X2 - X + 1) + X = |(X + 1)2) by (Q. This contradicts the irreducibility 
of g(x). Next, we suppose that k = 4. Since $4(x) = x^ + 1, in the same way as in 
the above, D{yiX + y^f = 4h{X^ + 1) - (X^ - 2X + 1). Hence 

Dyf = 4/1-1, 
2Dyiyo = 2, 
Dyl = 4/1-1. 



We have 8h{2h - 1) = and /i = 1/2. Thus q{x) = ^X^ 
(jS]). This contradicts the irreducibility of q{x) again. 



X 



;(X + l)2by 
□ 



9 



Next, we consider the case where ip{k)/2 > 2. 

Proposition 4.2. Suppose that m > 2. If k is described as k = p or k = 2p by 

some odd prime number p, then p ^ I. 

Proof. It is sufficient to show that degy > m if k = p or k = 2p hj degr = 2m 
and ([2]). Since x corresponds to a kth primitive root of unity, we have t{x) = + 1 
and gcd{g, k) = 1. Note that we know p = D = 3 mod 4 by Lemma 13.21 and ([7]). 
In addition, note that p > 7 since m > 2. Therefore, by [5l Theorem 7 on p. 349, 
Problem 8 on p. 3 54], we obtain 

p-1 

a=0 

where Xp{(^) stands for a Dirichlet character modulo p of order 2 and Cp G Pp- In our 
case where p is a prime number and satisfies that p = 3 mod 4, Xp{(^) is expressed 
in terms of the quadratic residue symbol (-) as 



Xp{c 



On the other hand, we claim that there exists some + l<b<p — 2 such that 
Xp{b — g) — Xpip) 7^ 0- Indeed, if there exists some b such that b — g = mod p, then 
the claim is trivial. Otherwise, if we assume that the claim does not hold, then the 
2^ characters take a same value. This contradicts the orthogonality of characters, 
since p >7. 

Suppose that k = p. Then y{x) corresponds to ^ _^ ^ . Moreover, 

p-1 p-1 




a=0 a=0 
p-1 

= ^iXp{a - g) - Xp{a))Cp 

a=0 

p-2 

= Y.^Xp{a -g)- Xp{a))Cp + (1 - Xp{g + mV- 



a=0 



If Xpls' + 1) = I5 then the term does not vanish. This implies that the degree of 
y{x) is over m. On the other hand, assume that Xp(fi' + 1) = 0? g = p—^- Then, 
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since (1 - Xp{g + l))Cr' = -(1 + Cp + • • • + Cr')' obtain 

p-2 

(a - 1) V=P = -9)- xp{a) - i)c;. 

a=0 

Hence, the term (^|'~^ does not vanish since Xp(p— 2— — Xp(p— 2) — 1 = Xp(2)— 2 ^ 0. 
Combining p > 7 with this, we obtain degy > m again. (Alternatively, we obtain 
p 7^ 1 by computing degt.) For the last, assume that Xpid + 1) = Then 

p-2 

iC'p - 1)%/=^ = E(Xp(« -9)- Xp{a) - 2)Q. 

a=0 

Therefore, we have only to show that there is an integer 2 < i < such that 

Xp{p ~ i ~ 9) ~ Xpip ~ i) ^ 2. Assume that this does not hold. Then we obtain 

)-] 
2 



g = and 



Xp(2) = --- = Xp(^) = l 

Xp(^) = --- = xp{p-i) = -i 

This induces a contradiction. Indeed, if p = 7, 11, then [ ^ ] = 1 and ( I = 1- 



7J \ll 

Also, if p > 19, there exists an integer such that < c < ^/p. Hence we obtain 

( — I = 1 < < P — 1)- Therefore degy > m also holds. 
VP/ 

Suppose that k — 2p. Then, using (^^ — ~Cp) we see that 

p— 1 p— 1 

a=0 a=0 
p-1 

= ^iXp{a) - Xp{a - g))Q 

a=0 
P-2 

= («) - ^^'(« - + M9 + 1) - i)cr'- 

a=0 

If Xpig + 1) = 1) then the term (^^ does not vanish, and the degree of y{x) is over 
m. On the other hand, assume that Xpid + 1) = 0, i.e., g — p — 1 or g — 2p — 1. 

p-2 

Then, since — — ^^(— 1)"^^, we obtain degy > m in the same way as in the 

a=0 

case when k — p. Finally, we assume that Xp{g + ^) — ~1- Then 

p-2 

(a - l)v^ = E(Xp(«) - Xp{a -g) + 2{-ir)Q. 

a=0 
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If p > 7 (resp. p = 7), then the term ^ (resp. Q,) does not vanish. Hence 
degy > m. □ 

In the same way, we obtain a result for certain composite numbers. 

Proposition 4.3. Let p > 7 be an odd prime number such that p = 3 mod 4, 
and Q > 2 an integer. Suppose that k G {pQ, 2pQ}, D = p, t{x) = a; + 1 and 
(p - 2)g + 1 < ip{k). Then p ^ 1. 

Proof. We show deg y > mil the conditions in the claim hold. Let k — pQ. Then 

p-2 

(a-l)v^ = ^XpW(a-l)+Xp(p-l)Cp^-'(a-l) (where Cp := C?) 

a=l 

= E xp{a){cf^' - cf) + (1 + + • • • + cr')(c. - 1) 

a=l 

p-2 p-2 
a=l a=l 

Moreover, there is + 1<6<J9 — 2 such that Xp(fe — 1) — Xp(fe) 7^ 0. Especially, 
not all of Xp(fl) < 0, < p — 2) are equal to —1. Since aQ + 1, aQ {1 < a < p — 2) 
are different from each other and aQ + 1 is less than (p{k) by the assumption, this 
means that degy > m. 

Iik = 2pQ, since C2p = -Cp = C?, then 

p-2 

(a-i)x/=p = -Ex^'(«K2p(a-i)+xp(p-i)cr(a-i) 

a=l 

p-2 p-2 

= - + i-mCpS^' + Y.Ma) + i-mCpS- 

a=l 0=1 

Since x{p - 4) + (-l)*'"^ = -2 ^ and p > 7, we have deg y > (p - 4)g + 1 > ^Q. 
If gcd(p,Q) = 1, then ^^Q > m. Otherwise, put Q = p*2*Q' gcd(2p, Q') = 1, 
then m = ^ P^pS2ti^(Q>) < H^p^2*g' = S^Q. Hence, in the same way, we 

complete the proof. □ 

Prom the proofs above, we can see that p-values are possible to be computed. 
But they tend to be nearly 2. 
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5 Proof of Theorem 



1.2 



In this section, for an embedding degree k, we consider the case where r{x) is taken 
as 

r{x) := ^dk{x)- 

Denote by (dk € Pdk a primitive dkth root of unity corresponding to x. Then 
Cfc := Cdk ^ Pk (resp. Cf) corresponds to x'^ (resp. t{x) — 1 = x"^^). Note that we 
assume dg < (p{dk). Then we consider 

r{x) = ^dk{x) I gcd(^, k) = 1, dg < ip{dk), 

< Dy{xy = Mdk{x) - (x-^f - l)^ 
p = l. 

V 

Then we have 2dg < ip{dk). 

First, we show the claim in Theorem 11.21 (i), which says that our considera- 
tion reduces to the case where gcd{d, k) = 1 and d is square-free. Assume that 
gcd((i, k) =: e > 2 and write d = ed'. Then 

Dy{xy = 4/i$rffc(x) - (a;^5 - 1)2 

= 4h<!>d'k{xn-i{xY'-lf- 

Moreover, we see that d'g < ip{d'k) and the condition ^ oi D does not change. 
Applying Lemma [3. 3[ we obtain y{x) G Qfx"^]. Hence substitute x for x*^, then 

Dy{xf = Ah^dk{x) - (x'^ - l)^ {d, k) = 1. 

Moreover, if d has a square factor. Denote d = a^d' (a > 2), then 

Dy{xf = Ah^ad'kix") - {{xT'' - 1)1 

Applying Lemma 13.31 again, we obtain y{x) G Q[x"]. Again we see that ad'g < 
(p{ad'k) and the condition of D does not change. This implies that we may assume 
that c? is a square-free integer. Therefore we have the claim above. In the following, 
we assume that d satisfies the condition. 

Proposition 5.1. If k = 3,4,6, then p 7^ 1. 

Proof. We may remove the case d = 1 since it is already shown in Lemma 14. 1[ If 
d > 2 and p = 1, then 2(f{k) = (f{dk) > 2dg > 2d. Hence d = 2 and g = 1, so that 
k = 3 since gcd{d, k) = 1. This contradicts dg < ip{dk). □ 
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Next, we show the claim in Theorem 11.21 (ii): 
Proposition 5.2. If k has a square-factor, then p ^ 1. 

Assume that p = 1. Denote k = a'^k' , a > 2. Put m := !£i^ = ) ^ then 

2dg < 2m since 2m = degr. Then 

(9) Dyixf = Ah^dak'ix'') - {x''^ - if. 

We have the following: 

Lemma 5.3. If a ^2, then m < 2dg < 2m. 

Proof First, we show that fi^M^ e Z. U d = 1 and ^^M^i^ ^ Z, then a = 2, 
k' = 1. Hence r(x) = $4(x) and k = A. This contradicts our assumption p = 1. 
Hence we may suppose that d > 2. In this case, we obtain a ^ 2 or d ^ 2 since 
gcd(d,a) = 1. Thus f(!M^ e Z. 

Now assume that dg = m. Then the above fact induces a \ dg which contradicts 
gcd{dg,a). Therefore we obtain dg < m. 

Second, to induce a contradiction, we assume that a = 2. Then 

Dy{xf = 4/i$2*'(a;') - i^Y' + 2x'^ - 1 

and also dg < m, a \ 2dg. Hence, applying Lemma 13.31 with a = 2, we obtain 
y{x) G Q[a;^]. However, the term x'^^ in right-hand side of the above equation is not 
0. Since gcd{dg, a) = 1 implies that dg is odd, this is a contradiction. So that we 
have a 7^ 2. 

Third, if 2dg < m, then we obtain a contradiction from applying Lemma [3.31 to 
([9]) and the fact a \ dg, in the same way. Hence m < 2dg. Moreover, we see that 

ip(ak') 

2dg m = aLp[d) . 



In fact, if it does not hold, a \ 2dg (note that ^ Z, since we already proved 

a 7^ 2). Since gc(\{dg, a) = 1, this induces a = 2 which is a contradiction. Therefore 
we obtain dg < m < 2dg. This completes the proof. □ 



As in the same way as in the proof of Lemma 13.31 we compare the coefficients 



of the both sides of ([9]), inductively. By Lemma [5. 3 [ we have 2m > 2dg and so that 
degy = m. Denote y{x) = ymX^ + ■ ■ ■ + Z/o; Z/i ^ Z/m 7^ 0. Again as in the same 
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way as in the proof of Lemma I3.3[ compare the both sides from the leading term to 
the term x'^'^^^, inductively. Then we have 

(10) t/i = 0, 2dg — m + l<i<m, a\i 

(note that m < 2dg by Lemma [5.30 . 

Now suppose that ^ 0. Comparing the terms X in (l9l), we obtain Dy^yi = 0, 
and so that yi = 0. Compare the both sides again from the constant term up to the 
term X*^^"^, inductively. Then = 0, < i < dg — 1, a \ i. Combining f IlOp with 
this, we have y{x) G Q[x"] since dg < m — 1. Therefore a contradiction is induced 
from the terms x"^^ in both sides of (Q. 

On the other hand, suppose that yo = 0. Then, by (j9]), we obtain 4h = 1. 
Combining it with degr = 2m > 2dg, we have Dy^ = 1 and D = 1. This implies 
that V— 1 G Q(/idg), and so that 4 | dk. If 2 \ d, then 2 | k since d is square-free. 
This contradicts with gcd{d, k) = 1. Hence 4 | a'^k' and, moreover, we see that 
a is even since k' is square-free. Therefore, dg is odd. Finally, by comparing the 
coefficients of ^"^^ ^ of OH]) in ascending order of powers, we obtain 

?/j = <i < dg - I, a\i). 

Hence, as in the same way as above, a contradiction is induced. 

It seems to that the most interesting case for cryptography is the case where the 
embedding degree k consists of powers of 2 or 3. So that, it is one of the important 
problems to give the explicit formulas of p- values in the case where Theorem 11.21 (ii) 
holds. Also, to give bounds of p- values in many other cases is needed for applications. 

Acknowledgement. The author would like to express his gratitude for a num- 
ber of helpful suggestions to Naoki Kanayama. 
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